Tricking users into copying different commands from what is displayed on a web page…

OK, maybe I’m late to this party but I recently came across a very cool attack vector that I had not heard about until now. There’s an excellent write up on this here that was actually published in 2008, so I won’t go through the details of how this works. However you can view an interactive demo of this in action here.

Essentially, this is ruse that can be used to trick people into running a different command on their system than what they thought they had initially copied from a website. Go ahead and try it out over at JSFiddle.net, just copy the text within the ‘result’ box and paste it into a text editor to review the full command. Neat, huh?!

HTML rendered text example

HTML source of the attack – python reverse shell

The demo above shows an attempt to shovel a reverse python shell back to the attackers system though make it appear like the command simply echoed “this is a test” to the screen as expected. This proof of concept is demonstrated below.

Attack Proof-of-Concept – Click To Enlarge

This is merely another vector that can be leveraged in social engineering attacks. Demonstrating the risk with blindly copying + running commands from websites that you do not trust. Always re-type commands such as this or paste them into a text-editor prior to running them directly. Also, if you are cloning a repository from a resource such as GitHub, review the code before integrating this into your project. All too often websites are backdoored due to the themes or modules that have been downloaded and installed from an un-trusted repository without going through code-review. In general, you shouldn’t implicitly trust anything at face value; trust but verify…

LMC is much like RSA. They hold keys to many doors used by the U.S. Department of Defense, as well as other members and customers of the military-industrial complex. And while LMC is mostly a staffing firm, selling skills and labor for defense contracts, they also have various stove-piped facilities that exist for facilitating projects. They include data centers, laboratories, cube farms, etc., many of which house classified data, such as engineering schematics for top secret projects.

Information of value that can be collected through an APT include things like the specifics of the projects LMC is working on, human resources information of their employees and locations where work is performed. Access to this information can help open even more doors.

Unfortunately, the public has yet to be presented enough details to determine if LMC was the second step in a master plan or just an opportunistic target due to the nature of the RSA stolen key crypto. We also don’t know if they can pick a second target or even if the worst case scenario has been stopped cold by LMC’s incident response team.

So who would the next target be? We don’t have any information about the assailants except that they are skilled, criminal, and likely have access to significant resources. The U.S. Military might not be of any value to them at all – instead they might be after manipulating a commercial or political target.

The systemic failure the attacker(s) are exploiting is targeting organizations that are responsible for the security of their clients. Sound familiar? It’s the same issue we are having with “The Cloud” nowadays and the security issues cloud providers have that lead to significant breaches. The only real difference with this attack is that they are aiming for the highest profile security systems and succeeding.

It goes without saying that these events are not being whitewashed by the U.S. Government. In the future there may be development of a more advanced system to find the source of APTs, presumably by advancing their monitoring capabilities and increasing the participants involved with CyberScope or related technologies.

And while there may be no foolproof system in place now (and there may never be one), there are three primary precautions you can take to protect your organization from APTs:

1) Ensure that user activities are monitored and that appropriate monitoring systems are in place. Users of SIEM technologies such as LogRhythm can find suspicious behaviors proactively across the enterprise, rather than waiting for post-incident forensics.

2) Educate employees so that they can identify suspicious activities, such as phishing e-mails, fake telephone solicitations, or other lapses in security enforcement such as tailgating through doors.

3) Isolate important information and add additional controls to prevent having a compromise by a single computer or employee from becoming a complete breach of company information.

Ever since Google was hacked by the notorious “Operation Aurora”, the term Advanced Persistent Threat has come to the forefront of the computer security challenges organizations must face. APTs are attacks originating from groups with government-level funding, with considerable patience to wait for an opportunity to exploit, and have a specific mission they are performing.

I’ve met the whole concept of APTs with personal skepticism. After all, the analysis of Google’s hack did not prove that the Chinese government was directly responsible, that the tools used exceeded the complexity of botnets formed by malware such as Bagle or Cornflicker, or that a basic penetration test could not have yielded similar results against any company, let alone an open-architected, public minded company such as Google.

Regardless, there are many respected researchers that do claim the attack was government sponsored and that the attack was carried out with significant sophistication. They claim far more resources are likely pushed into funded cyber attacks against influential organizations as a result of copycats from other governments and well funded criminal groups.

For those who have been dealing with cyber crime during the last decades, these threats sound similar to threats that have been seen all along. Criminal profit-motivated organizations have created sophisticated malware with command and control systems that, among other things, search and steal anything of value from an infected computer and send it to data collecting exfiltration servers located in shady data centers all around the world.

The role of integrated Security Information and Event Management (SIEM) and Log Management products such as LogRhythm are coming to the forefront of APT defense, establishing them as a fundamental element of security that is just as important as the old familiar defenses. APTs are likely to have a centralized command and control, and the defense is to have at least the same capabilities as the attacker, in the form of a Security Information and Event Manager.

Regardless if you are concerned about emerging threats from cyber crime, insider threat or feel your organization has a direct threat from government sponsored APTs, SIEM solutions like LogRhythm are an invaluable tool to respond to complex and targeted threats against your organization by addressing the following:

Without the right SIEM solution an organization may seem blind to even basic threats. The illumination provided by a SIEM can expose complicated and unknown threats by tracking information with enough detail to spot anomalous behavior that APTs are not capable of hiding. SIEMs are the most significant countermeasure against Advanced Persistent Threats available and are critical for stepping up to limit the impact of APTs.

About "The Dialog"

LogRhythm, the security intelligence company, helps organizations turn vast amounts of cryptic log and machine data into security intelligence. Similarly through our blog, "The Dialog", we'll provide you with useful information about how security intelligence and the technologies that comprise it can and are being used to help organizations detect threats and breaches faster and with greater accuracy than ever before.

About Our Bloggers

Your business needs are varied and with that in mind, we have assembled an eclectic and knowledgeable group of contributors to provide valuable perspectives on a variety of topics. Our deep bench of bloggers include the company’s co-founders, lead product development engineers, LogRhythm Labs security and compliance experts, implementation staff, customer care support personnel, product management, senior executives, LogRhythm customers and independent subject matter experts. We hope to provide something for everyone. If there is a topic you'd like to see covered or if you'd like to be considered as a potential contributor to "The Dialog," let us know. If you have questions for the bloggers or differing ideas, challenge us – we welcome the exchange.
Blogger Bios